Re: RFC rpc.gssd enhancement

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Steve Dickson <SteveD@redhat.com>
To: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Cc: linux-nfs@vger.kernel.org
Subject: Re: RFC rpc.gssd enhancement
Date: Tue, 29 Nov 2016 14:28:10 -0500	[thread overview]
Message-ID: <2ff5b760-a3ca-9ab8-d1a8-efe5f36aaaf3@RedHat.com> (raw)
In-Reply-To: <20161129184843.jrwbnytggrz6kdir@ics.muni.cz>



On 11/29/2016 01:48 PM, Lukas Hejtmanek wrote:
> Hello,
> 
> On Tue, Nov 29, 2016 at 01:37:00PM -0500, Steve Dickson wrote:
>> The kernel would do an upcall to the user's
>> creds but they have expired. Now if this 
>> new option is set, rpc.gssd would used 
>> the machine's cred? It seems to me that
>> would not be too secure.
> 
> maybe it is not considered secure, but it is still more secure to me than
> using sec=sys. 
True.

> 
> the problem is, that kerberized home is problem for .k5login file and also for
> .ssh/authorized_keys. While the .k5login file is accessed with root context
> (sshd), the authorized_keys is accessed with user context, so login via ssh
> pubkey is not possible at all. 
What would the .k5login look like and what would the principal look like?
My apologies but I'm not very familar with how sshd interacts with 
the .k5login. 

> 
> moreover, consider scenario where a user has symlink from his/her home to NFS
> share, without kerberos ticket, logon process can get stucked until he/she has
> the ticket. The ticket cannot be created until success logon.
Yeah... This has been a long running problem which is why
I'm curious about your RFC... 
 
> 
>>> Consider the following scenario:
>>> 1) machine has NFS mounted /home using kerberos authentication
>>> 2) user logs in, sshd creates krb ticket ($HOME/.k5login needs to be world
>>> readable to allow kerberized access, e.g., using kerberos ticket)
>>> 3) user stays logged in and krb ticket expires
>>> 4) kinit to renew ticket produces strange error because $HOME is not
>>> accessible and a new ticket is not created.
>>>
>>> So, I think in this case, I would like to see rpc.gssd uses host keytab while
>>> user's ticket is not available, which maps to nobody/nogroup, but kinit should
>>> succeed.
>> Who is going the kinits in this scenario?
> 
> the user comes back and wants to issue kinit. Kinit fails due to eperm on
> anything in $HOME. The user has to log off and on again.
I see.

> 
>> I'm pretty sure sssd will what you are looking for.
> 
> how this could help me to work around expired tickets?
> 
sssd will renew the ticket before it expired (I think).
But the user has to be known to a ipa-server on 
an ipa-client, so this may not be workable... 

steved.

next prev parent reply	other threads:[~2016-11-29 19:28 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-28 18:37 RFC rpc.gssd enhancement Lukas Hejtmanek
2016-11-29 18:37 ` Steve Dickson
2016-11-29 18:48   ` Lukas Hejtmanek
2016-11-29 19:28     ` Steve Dickson [this message]
2016-12-02 11:41       ` Lukas Hejtmanek
     [not found]         ` <CAHVgHyU6LQak3O4ybR0H3whWCKUdfz2bxLvEGi9uFM1EX+e=Eg@mail.gmail.com>
2016-12-02 14:00           ` Fwd: " Andy Adamson
     [not found]           ` <20161202134638.4ghyb5wnnwata4ec@ics.muni.cz>
2016-12-02 14:23             ` Andy Adamson
2016-12-02 14:28               ` Lukas Hejtmanek
2016-12-02 15:09                 ` Andy Adamson
2016-12-08 12:36                   ` Lukas Hejtmanek
2016-12-08 13:18                     ` Andy Adamson
2016-12-08 13:23                       ` Lukas Hejtmanek
2016-12-08 13:40                         ` Andy Adamson
2016-12-08 21:11                     ` Olga Kornievskaia
2016-12-08 21:22                       ` Lukas Hejtmanek
2016-12-08 21:50                         ` Olga Kornievskaia
2016-12-08 21:58                           ` Olga Kornievskaia
2016-11-29 20:04 ` Olga Kornievskaia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2ff5b760-a3ca-9ab8-d1a8-efe5f36aaaf3@RedHat.com \
    --to=steved@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=xhejtman@ics.muni.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).